[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Thu May 13 08:13:26 EDT 2021
On 2021-05-13, Tad Winters <tad.vms at gmx.com> wrote:
>
> So you're saying that you want _one_ flag on a user account to not only
> restrict interactive access to the defined login command procedure, but
> to actually allow no other kinds of access? Perhaps the setting of that
No. Some way of leaving the passive network file access capabilities
active while disabling the active functionality by default.
As hard as it might be for some people around here to understand this,
security is a moving target and a design created several decades ago
might just possibly need changing to reflect modern security knowledge
and issues.
> flag should implicitly mark the account with /NOBATCH /NONETWORK
> /NOREMOTE. Maybe you'd also like to use /PWDMINIMUM=30? Should
> AUTHORIZE confirm the login command procedure exists and then SET
> SECURITY/CLASS=FILE/PROTECTION=(WORLD) {the command procedure filename}?
>
> Maybe AUTHORIZE should audit the content of the login command procedure
> to make sure it will work as you intend. It will then also need to
> translate SYS$SYLOGIN and audit that command procedure as well.
>
> What else do you need it to do?
>
People might think they are being clever with comments like this,
but in reality it just makes them look ossified.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list